Applications running in an API-proxy-based emulator are prevented from infecting a PC's hard disk when executing file I/O commands. Such commands are redirected to an I/O redirection engine instead of going directly to the PC's normal operating system where it can potentially harm files in on the hard disk. The redirection engine executes the file I/O command using a private storage area in the hard disk that is not accessible by the PC's normal operating system. If a file that is the subject of a file I/O command from an emulated application is not in the private storage area, a copy is made from the original that is presumed to exist in the public storage area. This copy is then acted on by the command and is stored in the private storage area, which can be described as a controlled, quarantined storage space on the hard disk. In this manner the PC's (or any computing device's) hard disk is defended from potential malware that may originate from applications running in emulated environments.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method of defending a computing device against malware, said computing device including a processor, a memory and a network interface, the method comprising: utilizing a cloud-based malware scanning service for detecting malware; receiving an application on said computing device from a source that is external to said computing device; determining that said cloud-based malware scanning service is unavailable after said utilizing and performing malware detection analysis on the application using a local scanning process when said cloud-based malware scanning service is unavailable; when it is determined that malware is detected in said application, executing the application in a virtualized environment when said cloud-based malware scanning service is unavailable, said virtualized environment using a real CPU of said computing device but not affecting a normal operating environment of said computing device; utilizing a first persistent storage area of said computing device for file input/output (I/O) commands in which to write one or more files from the application, wherein the first persistent storage area is inaccessible by normal operating system commands and is used when the cloud-based malware scanning service is unavailable; and after said cloud-based malware scanning service again becomes available, scanning said one or more files in the first persistent storage area by said cloud-based malware scanning service to determine if any of the one or more files are malware-free and can be moved to a second persistent storage area of said computing device which is accessible by said normal operating system commands.
A method to protect a computer from malware involves using a cloud-based service to scan applications. When the cloud service is unavailable, the computer performs its own malware analysis. If malware is detected, the application runs in a virtualized environment using the computer's actual CPU, but isolated from the normal operating system. File input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system. Once the cloud service is available again, the files in this protected area are scanned. Clean files are then moved to a normal, accessible storage area.
2. The method as recited in claim 1 wherein the virtual environment is created in an I/O redirection engine.
The malware protection method described where file input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system and once the cloud service is available again, the files in this protected area are scanned for malware and clean files are then moved to a normal, accessible storage area. The virtualized environment used is created within an I/O redirection engine, which intercepts and manages file system calls.
3. The method as recited in claim 1 wherein performing malware detection analysis further comprises: performing a forensic malware scan that does not require accessing the cloud-based malware scanning service.
The malware protection method described where file input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system and once the cloud service is available again, the files in this protected area are scanned for malware and clean files are then moved to a normal, accessible storage area. The local malware detection analysis includes a forensic scan that doesn't require accessing the cloud-based service, allowing for offline malware detection.
4. The method as recited in claim 1 further comprising: determining whether any of said one or more files should be deleted, wherein the scanning is done after the cloud-based malware scanning service becomes available.
The malware protection method described where file input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system and once the cloud service is available again, the files in this protected area are scanned for malware and clean files are then moved to a normal, accessible storage area. After the cloud service comes back online, the method also determines if any files in the quarantined area should be deleted based on the scan results.
5. The method as recited in claim 4 further comprising: when it is determined that no malware is detected, executing the application in a normal operating system environment using the second persistent storage area.
The malware protection method described where file input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system and once the cloud service is available again, the files in this protected area are scanned for malware and clean files are then moved to a normal, accessible storage area. Also, if no malware is detected after scanning the files in the protected storage, the application is executed in the normal operating system environment, using files from the second, now-accessible storage area.
6. The method as recited in claim 5 further comprising: copying a file from the second persistent storage area in order to execute a file I/O command.
The malware protection method described where file input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system and once the cloud service is available again, the files in this protected area are scanned for malware and clean files are then moved to a normal, accessible storage area. Also, if no malware is detected and the application runs in a normal operating system environment, a file from the accessible storage area is copied when a file I/O command needs to be executed.
7. A computing device comprising: a processor; a network interface for communicating with a cloud-based malware scanning service; an application verification module for scanning applications on the computing device when the cloud-based scanning service is unavailable; an input/output (I/O) redirection engine for creating and maintaining a virtualized environment to be used when the cloud-based scanning service is unavailable, said virtualized environment utilizing the processor and not a virtual processor; a memory component having a quarantined storage space and a public storage space, wherein the quarantined storage space has a first persistent storage area accessed only by the I/O redirection engine, is inaccessible by normal operating system commands, is used when the cloud-based malware scanning service is unavailable and includes one or more files written by said one of said applications when said cloud-based scanning service is unavailable; and a scanning component for scanning said one or more files in the first persistent storage area by said cloud-based malware scanning service to determine if any of the one or more files are malware free and can be moved to a second persistent storage area of said public storage space which is accessible by said normal operating system commands, said scanning component performing said scanning when said cloud-based malware scanning service is available after being unavailable.
This invention relates to computing devices with enhanced malware scanning capabilities, particularly when cloud-based scanning services are unavailable. The device includes a processor, a network interface for cloud-based malware scanning, and an application verification module that scans applications locally when the cloud service is offline. An I/O redirection engine creates a virtualized environment using the device's physical processor (not a virtual processor) to isolate operations when cloud scanning is unavailable. The device's memory is divided into quarantined and public storage spaces. The quarantined space has a first persistent storage area exclusively accessible by the I/O redirection engine and inaccessible via normal operating system commands. This area stores files generated by applications when cloud scanning is unavailable. When the cloud service becomes available again, a scanning component checks these files for malware. If files are deemed safe, they are moved to a second persistent storage area in the public space, which is accessible via standard operating system commands. This system ensures continuous malware protection even when cloud services are offline, maintaining security without disrupting user operations.
8. The computing device as recited in claim 7 wherein the I/O redirection engine contains a virtual I/O platform module.
The computing device that protects against malware using a cloud-based scanning service, utilizing an application verification module, an I/O redirection engine to create a virtualized environment, and memory components with quarantined and public storage spaces. The I/O redirection engine contains a virtual I/O platform module to manage the virtualized environment.
9. The computing device as recited in claim 7 wherein the memory component is a hard disk that does not have a direct relationship with conventional memory address ranges.
The computing device that protects against malware using a cloud-based scanning service, utilizing an application verification module, an I/O redirection engine to create a virtualized environment, and memory components with quarantined and public storage spaces. The memory component is a hard disk that isn't directly related to conventional memory address ranges, separating it from normal memory access.
10. The computing device as recited in claim 7 wherein the application verification module performs a forensic malware scan.
The computing device that protects against malware using a cloud-based scanning service, utilizing an application verification module, an I/O redirection engine to create a virtualized environment, and memory components with quarantined and public storage spaces. The application verification module performs a forensic malware scan, providing detailed analysis.
11. The computing device as recited in claim 9 wherein the I/O redirection engine contains a hard disk interface.
The computing device that protects against malware using a cloud-based scanning service, utilizing an application verification module, an I/O redirection engine to create a virtualized environment, and memory components with quarantined and public storage spaces, where the memory is a hard disk that isn't directly related to conventional memory address ranges. The I/O redirection engine contains a hard disk interface for managing I/O operations with the hard disk.
12. The computing device as recited in claim 7 wherein contains a file I/O command receiving module.
The computing device that protects against malware using a cloud-based scanning service, utilizing an application verification module, an I/O redirection engine to create a virtualized environment, and memory components with quarantined and public storage spaces. The device contains a file I/O command receiving module, which intercepts and processes file system commands.
13. The method as recited in claim 1 further comprising: operating an anti-virus (AV) agent scanner on the computing device that operates between the application and the operating system and is used in conjunction with the cloud-based malware scanning service.
The malware protection method described where file input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system and once the cloud service is available again, the files in this protected area are scanned for malware and clean files are then moved to a normal, accessible storage area. An anti-virus (AV) agent scanner runs on the computer between the application and the operating system and is used in conjunction with the cloud-based scanning service for added protection.
14. The method as recited in claim 1 wherein the virtual environment only includes file I/O virtualization.
The malware protection method described where file input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system and once the cloud service is available again, the files in this protected area are scanned for malware and clean files are then moved to a normal, accessible storage area. The virtual environment only virtualizes file I/O operations, isolating potentially harmful file access.
15. The method as recited in claim 1 wherein the first persistent storage area is not a virtual memory and is a real storage space on a hard disk.
The malware protection method described where file input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system and once the cloud service is available again, the files in this protected area are scanned for malware and clean files are then moved to a normal, accessible storage area. The first protected storage area is a real storage space on a hard disk, not virtual memory.
16. The method as recited in claim 1 wherein a hard disk on the computing device does not have a direct relationship with conventional memory address ranges.
The malware protection method described where file input/output (I/O) operations write files to a protected storage area inaccessible to the normal operating system and once the cloud service is available again, the files in this protected area are scanned for malware and clean files are then moved to a normal, accessible storage area. A hard disk on the computing device doesn't have a direct relationship with conventional memory address ranges, separating it from normal memory access.
17. The computing device as recited in claim 7 further comprising: an AV agent scanner that operates between the application and the operating system and is used in conjunction with the cloud-based malware scanning service.
The computing device that protects against malware using a cloud-based scanning service, utilizing an application verification module, an I/O redirection engine to create a virtualized environment, and memory components with quarantined and public storage spaces. The device includes an AV agent scanner operating between the application and the operating system, used with the cloud-based service.
18. The computing device as recited in claim 7 wherein the quarantined storage space is not a virtual memory but is a real storage space on the hard disk.
The computing device that protects against malware using a cloud-based scanning service, utilizing an application verification module, an I/O redirection engine to create a virtualized environment, and memory components with quarantined and public storage spaces. The quarantined storage space isn't virtual memory; it's a real storage space on the hard disk, providing physical isolation.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 8, 2009
August 13, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.